Mozilla's web security guru talks open source
23rd Nov 2013 | 12:00
Mozilla is about more than just web browsers
Mozilla is about more than just web browsers - it's an organisation committed to making the web a better place for users. As part of this, it's funding development of a tool to help web developers make their sites more secure: the Zed Attack Proxy (or ZAP).
Our sister magazine Linux Format met lead developer and security campaigner Simon Bennetts to talk about ZAP, Mozilla and black hats.
LXF: Can you let us a little bit about how you started using open source software?
SB: I've been using open source for many years as a developer. I really like it, and I like the principals behind it, but I'd never had the opportunity to contribute to any. I'd tried to convince previous companies that some of our products should be open, but to no effect. Those are commercial decisions, which I typically don't get involved in. I wanted to have a project to work on, and I wanted to learn about security, so I decided to start work on ZAP, as it became. It all came from there, really.
LXF: And you're now working for Mozilla. What's the culture like?
SB: Completely bizarre. Really strange. I've come from a commercial background, and the discussions we have are completely different. You have discussions about whether you should have the discussions in public or not. It's all about what's best for the users - what's best for people who use the internet. It's a very accepting culture and it's a very supportive culture. It's all about doing the right thing, which is really nice to be part of.
LXF: Can you tell us a bit about ZAP. What's it for? Who is it aimed at?
SB: I'm trying to aim it at as wide an audience as possible. It's a tool for finding vulnerabilities in web applications. It's used by security teams - professional penetration testers - but my focus is to get developers, functional testers and quality assurance using it because I think it's important that they understand security.
I believe that you can't create secure web applications unless you have some understanding of web application security. This is a way of understanding that. It allows you to hack your own web applications and get some understanding of what the bad guys are going to do.
LXF: What's the thing that's surprised you most about working on an open source project?
SB: I suppose the willingness of people to help. I wanted ZAP to be a community project because I think the strength of open source comes from when anyone can contribute. It's been great getting people involved, people to helping out and people doing some really great work. Dealing with the people has been a real pleasure.
LXF: How many contributors are there?
SB: Quite a lot. We have a list of credits on the website that's included with ZAP as well. There are 30 or 40 names on there. About half a dozen contribute code regularly, and some people as and when. It is a community project, so I want people to get involved.
We're very supportive of new people, so whether you're a developer who wants to learn about security or an expert in security who wants to learn more, then we're happy to help you. I'm happy to spend an hour helping someone do something that would take me 20 minutes to do myself, because that means that the person can do more in the future.
LXF: Are there any skills shortages you've found in the open source community?
SB: Documentation! I haven't found a shortage of security skills; surprisingly. ZAP has taken off in the security community, so there's people working on ZAP that know a lot more about security than I do. I'm still learning. I guess we all are!
I suppose there's less of a testing background, but Björn Kimminich has just joined the team and he's from a QA background. He pointed out that there aren't many ZAP regression tests. He's right, and he's started writing them. So we're finally getting some unit tests, which I'd been meaning to do for some time. We could use more people working on the tests, working on the documentations and working on it generally, but that's always the case.
LXF: If there was one piece of advice for people to develop secure web apps, what would it be?
SB: Start learning about security. If you don't know anything about security, you can't build secure web apps. Something like the Open Web Application Security Project (OWASP) top ten risks to web applications is a great place to start. You can start learning about cross-site request forgeries and things like that, which a lot of developers don't know about.
LXF: How do you deal with the issue that ZAP will be used by some bad guys?
SB: That was something I worried about before releasing ZAP. The justification I've got, and the one I still think is valid, is that the bad guys already know how to do all this. The bad guys know the techniques, and they've got their own tools.
A lot of it is knowledge - the bad guys have it and the good guys don't - so I'm aiming this at the good guys. I'm trying to make it as easy as possible with things like integrating ZAP in a continuous integration environment - things that the bad guys aren't interested in. We focus on things that the good guys can use, and it's levelling the playing field to give them a fighting chance.
LXF: Have you made any design decisions that make it harder for black hats to use?
SB: There are certain things that people have asked for that I don't really want to develop - other people can develop them - so there are definitely things that I can think of (which I won't mention) that I would not be comfortable implementing. But in the end, the bad guys will have the tools, and theywill use them to attack your web applications. They're attacking your web applications right now.